githubinferredactive
agent-airlock
provenance:github:sattyamjjain/agent-airlock
WHAT THIS AGENT DOES
Agent-Airlock is a security tool designed to protect AI agents from making dangerous or unintended actions. It acts as a firewall, intercepting and validating actions before they are executed. Developers can easily integrate it into their AI agent projects with a single decorator. This tool is particularly useful for those building autonomous agents that interact with sensitive systems or data. Agent-Airlock helps prevent common issues like hallucinated tool calls and incorrect data types. It provides a simple way to add a layer of safety and control to AI agent behavior, reducing the risk of errors and security breaches.
PROBLEM IT SOLVES
AI agents often hallucinate tool calls or provide incorrect data types, potentially leading to disastrous consequences like accidental data deletion or unauthorized actions. Agent-Airlock solves this by providing a simple, automated way to validate and control agent actions, preventing these errors without requiring complex manual oversight.
CAPABILITIES & CONSTRAINTS
TECH & STACK
pythonai-agentsecuritylangchainopenaiagent-frameworkllmsafety
README
<div align="center">
<!-- Animated Typing Header -->
<a href="https://github.com/sattyamjjain/agent-airlock">
<img src="https://readme-typing-svg.demolab.com?font=Fira+Code&weight=700&size=28&duration=3000&pause=1000&color=00D4FF¢er=true&vCenter=true&multiline=true&repeat=true&width=700&height=100&lines=%F0%9F%9B%A1%EF%B8%8F+Agent-Airlock;Your+AI+Agent+Just+Tried+rm+-rf+%2F.+We+Stopped+It." alt="Agent-Airlock Typing Animation" />
</a>
### The Open-Source Firewall for AI Agents
**One decorator. Zero trust. Full control.**
<!-- Primary Badges Row -->
[](https://pypi.org/project/agent-airlock/)
[](https://pypistats.org/packages/agent-airlock)
[](https://github.com/sattyamjjain/agent-airlock/actions/workflows/ci.yml)
[](https://codecov.io/gh/sattyamjjain/agent-airlock)
<!-- Secondary Badges Row -->
[](https://www.python.org/downloads/)
[](https://opensource.org/licenses/MIT)
[](https://github.com/sattyamjjain/agent-airlock/stargazers)
[](http://makeapullrequest.com)
<br/>
[**Get Started in 30 Seconds**](#-30-second-quickstart) · [**Why Airlock?**](#-the-problem-no-one-talks-about) · [**All Frameworks**](#-framework-compatibility) · [**Docs**](#-documentation)
<br/>
</div>
---
<!-- Hero Visual Block -->
<div align="center">
```
┌────────────────────────────────────────────────────────────────┐
│ 🤖 AI Agent: "Let me help clean up disk space..." │
│ ↓ │
│ rm -rf / --no-preserve-root │
│ ↓ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ 🛡️ AIRLOCK: BLOCKED │ │
│ │ │ │
│ │ Reason: Matches denied pattern 'rm_*' │ │
│ │ Policy: STRICT_POLICY │ │
│ │ Fix: Use approved cleanup tools only │ │
│ └──────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────┘
```
</div>
---
## 🎯 30-Second Quickstart
```bash
pip install agent-airlock
```
```python
from agent_airlock import Airlock
@Airlock()
def transfer_funds(account: str, amount: int) -> dict:
return {"status": "transferred", "amount": amount}
# LLM sends amount="500" (string) → BLOCKED with fix_hint
# LLM sends force=True (invented arg) → STRIPPED silently
# LLM sends amount=500 (correct) → EXECUTED safely
```
**That's it.** Your function now has ghost argument stripping, strict type validation, and self-healing errors.
---
## 🧠 The Problem No One Talks About
<table>
<tr>
<td width="50%">
### The Hype
> *"MCP has 16,000+ servers on GitHub!"*
> *"OpenAI adopted it!"*
> *"Linux Foundation hosts it!"*
</td>
<td width="50%">
### The Reality
**LLMs hallucinate tool calls. Every. Single. Day.**
- Claude invents arguments that don't exist
- GPT-4 sends `"100"` when you need `100`
- Agents chain 47 calls before one deletes prod data
</td>
</tr>
</table>
**Enterprise solutions exist:** Prompt Security ($50K/year), Pangea (proxy your data), Cisco ("coming soon").
**We built the open-source alternative.** One decorator. No vendor lock-in. Your data never leaves your infrastructure.
---
## ✨ What You Get
<table>
<tr>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/delete-shield.png" alt="shield"/>
<br/><b>Ghost Args</b>
<br/><sub>Strip LLM-invented params</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/checked.png" alt="check"/>
<br/><b>Strict Types</b>
<br/><sub>No silent coercion</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/refresh.png" alt="refresh"/>
<br/><b>Self-Healing</b>
<br/><sub>LLM-friendly errors</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/lock.png" alt="lock"/>
<br/><b>E2B Sandbox</b>
<br/><sub>Isolated execution</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/user-shield.png" alt="user"/>
<br/><b>RBAC</b>
<br/><sub>Role-based access</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/privacy.png" alt="privacy"/>
<br/><b>PII Mask</b>
<br/><sub>Auto-redact secrets</sub>
</td>
</tr>
<tr>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/network-card.png" alt="network"/>
<br/><b>Network Guard</b>
<br/><sub>Block data exfiltration</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/folder-invoices.png" alt="folder"/>
<br/><b>Path Validation</b>
<br/><sub>CVE-resistant traversal</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/restart.png" alt="circuit"/>
<br/><b>Circuit Breaker</b>
<br/><sub>Fault tolerance</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/analytics.png" alt="otel"/>
<br/><b>OpenTelemetry</b>
<br/><sub>Enterprise observability</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/money-bag.png" alt="cost"/>
<br/><b>Cost Tracking</b>
<br/><sub>Budget limits</sub>
</td>
<td align="center" width="16%">
<img width="40" src="https://img.icons8.com/fluency/48/syringe.png" alt="vaccine"/>
<br/><b>Vaccination</b>
<br/><sub>Auto-secure frameworks</sub>
</td>
</tr>
</table>
---
## 📋 Table of Contents
<details>
<summary><b>Click to expand full navigation</b></summary>
- [30-Second Quickstart](#-30-second-quickstart)
- [The Problem](#-the-problem-no-one-talks-about)
- [What You Get](#-what-you-get)
- [Core Features](#-core-features)
- [E2B Sandbox](#-e2b-sandbox-execution)
- [Security Policies](#-security-policies)
- [Cost Control](#-cost-control)
- [PII Masking](#-pii--secret-masking)
- [Network Airgap](#-network-airgap-v030)
- [Framework Vaccination](#-framework-vaccination-v030)
- [Circuit Breaker](#-circuit-breaker-v040)
- [OpenTelemetry](#-opentelemetry-observability-v040)
- [Framework Compatibility](#-framework-compatibility)
- [FastMCP Integration](#-fastmcp-integration)
- [Comparison](#-why-not-enterprise-vendors)
- [Installation](#-installation)
- [OWASP Compliance](#️-owasp-compliance)
- [Performance](#-performance)
- [Documentation](#-documentation)
- [Contributing](#-contributing)
- [Support](#-support)
</details>
---
## 🔥 Core Features
### 🔒 E2B Sandbox Execution
```python
from agent_airlock import Airlock, STRICT_POLICY
@Airlock(sandbox=True, sandbox_required=True, policy=STRICT_POLICY)
def execute_code(code: str) -> str:
"""Runs in an E2B Firecracker MicroVM. Not on your machine."""
exec(code)
return "executed"
```
| Feature | Value |
|---------|-------|
| Boot time | ~125ms cold, <200ms warm |
| Isolation | Firecracker MicroVM |
| Fallback | `sandbox_required=True` block
[truncated…]PUBLIC HISTORY
First discoveredMar 21, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenJan 31, 2026
last updatedMar 18, 2026
last crawledtoday
version—
README BADGE
Add to your README:
